View STIG - z/OS IBM CICS Transaction Server for TSS Security Technical Implementation Guide V6R9

b

CICS system data sets are not properly protected.

CM-5 - Medium - CCI-001499 - V-224729 - SV-224729r520291_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001499

Version

ZCIC0010

Vuln IDs

V-224729
V-7516

Rule IDs

SV-224729r520291_rule
SV-7978

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system data sets (i.e., product, security, and application libraries) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26420r520289_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CICSRPT) Since it is possible to have multiple CICS regions running on an LPAR, it is recommended that you go into the z/OS STIG Addendum and fill out all the information in the "CICS System Programmers Worksheet" for each CICS region running on your LPAR. It is recommended that you save this information for any other CICS vulnerabilities that will require it. b) WRITE and/or ALLOCATE access to CICS system data sets is restricted to systems programming personnel. c) If (b) is true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Fix: F-26408r520290_fix

Review the access authorizations for CICS system data sets for each region. Ensure they conform to the specifications below: A CICS environment may include several data set types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system data sets that can be identified with DFH DD statements, other product system data sets, and application program libraries. Restrict alter and update access to CICS program libraries and all system data sets to systems programmers only. Other access must be documented and approved by the IAO. The site may determine access to application data sets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established; documented, and followed that prevents the introduction of unauthorized or untested application programs into production application systems.

b

Sensitive CICS transactions are not protected in accordance with security requirements.

AC-3 - Medium - CCI-000213 - V-224730 - SV-224730r520294_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ZCIC0020

Vuln IDs

V-224730
V-251

Rule IDs

SV-224730r520294_rule
SV-7529

Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.

Checks: C-26421r520292_chk

a) Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(WHOOOTRA) - SENSITVE.RPT(WHOHOTRA) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the following items are in effect for all CICS regions: NOTE: Authorized personnel include systems programming and security staffs. Additional guidance regarding authorized personnel for specific transactions is included in this z/OS STIG Addendum. For example, CEMT SPI provides a broader use of this sensitive transaction by restricting execution to inquiries. 1) Transactions listed in tables CICS CATEGORY 2 CICS AND OTHER PRODUCT TRANSACTIONS and CICS CATEGORY 4 COTS-SUPPLIED SENSITIVE TRANSACTIONS, in the z/OS STIG Addendum, are restricted to authorized personnel. Note: The exception to this is the CEOT and CSGM transactions, which can be made available to all users. Note: The exception to this is the CWBA transaction, can be made available to the CICS Default user. Note: The transactions beginning with "CK" apply to regions running WebSphere MQ. Note: Category 1 transactions are internally restricted to CICS region userids. c) If sensitive transactions referenced in (b) are protected as indicated, there is NO FINDING. d) If any sensitive transaction referenced in (b) is not protected as indicated, this is a FINDING.

Fix: F-26409r520293_fix

Develop a plan to implement the required changes. 1. Most transactions are protected by profiles. An example would be "L2TRANS" which would be permitted all Category 2 transactions. L2TRANS is defined to CA-TSS as a profile and is permitted to all the Category 2 transactions. An example of how to implement this within CA-TSS is shown here: TSS CRE(L2TRANS) TYPE(PROF) DEPT(<dept acid>) NAME('L2 TRANS') INSTDATA('PROFILE GRANTING ACCESS TO ALL CATEGORY 2 TRANS') TSS ADD(<owning acid>) OTRAN(CADP CBAM CDBC) TSS PER(L2TRANS) OTRAN(CADP CBAM CDBC) Permission to the transaction group can be accomplished with a sample command: TSS PER(USERID)OTRAN(TRANSACTION) Permission to the transactions can be accomplished by adding the L2TRANS profile to a user's ACID. Example: TSS ADD(<user's acid>) PROF(L2TRANS) 2. Transactions groups should be defined and permitted in accordance with the CICS Transaction tables listed in the zOS STIG Addendum.

b

CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.

CM-6 - Medium - CCI-000366 - V-224731 - SV-224731r868631_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ZCIC0030

Vuln IDs

V-224731
V-302

Rule IDs

SV-224731r868631_rule
SV-7531

The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26422r868629_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following report produced by the CICS Data Collection: - CICS.RPT(DFHSITxx) Refer to the information gathered from the CICS Systems Programmer's Worksheet filled out from previous vulnerability ZCIC0010. Refer to the CICS region SYSLOG - (Alternate source of SIT parameters) be sure to process DFHSIT based on the order specified. The system initialization parameters are processed in the following order, with later system initialization parameter values overriding those specified earlier. CICS system initialization parameters are specified in the following ways: - In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. - In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. - In the SYSIN data set defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). Ensure the following CICS System Initialization Table (SIT) parameter settings are specified for each CICS region. If the following guidance is true, this is not a finding. ___ SEC=YES - If SEC is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below is the hex and bit settings for this flag. X'80' EQU B'10000000' External Security Requested ___ DFLTUSER=<parameter> - If DFLTUSER is not coded in the CICS region startup JCL, go to offset x'118' from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. ___ XUSER=YES - If XUSER is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below is the hex and bit settings for this flag. X'04' EQU B'00000100' Surrogate User Checking required ___ SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX - If SNSCOPE is not coded in the CICS region startup JCL, go to offset x'124' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Ensure that users cannot sign on to more than one CICS production region within the scope of a single CICS region, a single z/OS image, or a sysplex. Below are the hex settings for this flag: X'01' EQU 1 SIGNON SCOPE = NONE X'02' EQU 2 SIGNON SCOPE = CICS X'03' EQU 3 SIGNON SCOPE = MVSIMAGE X'04' EQU 4 SIGNON SCOPE = SYSPLEX Note: SNSCOPE=NONE is only allowed with test/development regions.

Fix: F-26410r868630_fix

Ensure that CICS System Initialization Table (SIT) parameter values are specified using the following guidance. The system initialization parameters are processed in the following order, with later system initialization parameter values overriding those specified earlier. CICS system initialization parameters are specified in the following ways: In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. In the SYSIN data set defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). SEC=YES - If SEC is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are listed the hex and bit settings for this flag. X'80' EQU B'10000000' External Security Requested <<=== X'40' EQU B'01000000' Resource Prefix Required X'10' EQU B'00010000' RACLIST class APPCLU required X'08' EQU B'00001000' ESM INSTLN data is required X'04' EQU B'00000100' Surrogate User Checking required X'02' EQU B'00000010' Always enact resource check X'01' EQU B'00000001' Always enact command check DFLTUSER=<parameter> - If DFLTUSER is not coded in the CICS region startup JCL, go to offset x'118' from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. XUSER=YES - If XUSER is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are listed the hex and bit settings for this flag. X'80' EQU B'10000000' External Security Requested <<=== X'40' EQU B'01000000' Resource Prefix Required X'10' EQU B'00010000' RACLIST class APPCLU required X'08' EQU B'00001000' ESM INSTLN data is required X'04' EQU B'00000100' Surrogate User Checking required X'02' EQU B'00000010' Always enact resource check X'01' EQU B'00000001' Always enact command check SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX If SNSCOPE is not coded in the CICS region startup JCL, go to offset x'124' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Ensure that users cannot sign on to more than one CICS production region within the scope of a single CICS region, a single z/OS image, or a sysplex. Below are the hex settings for this flag: X'01' EQU 1 SIGNON SCOPE = NONE X'02' EQU 2 SIGNON SCOPE = CICS X'03' EQU 3 SIGNON SCOPE = MVSIMAGE X'04' EQU 4 SIGNON SCOPE = SYSPLEX : SNSCOPE=NONE is only allowed with test/development regions.

b

CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.

IA-2 - Medium - CCI-000764 - V-224732 - SV-224732r520300_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ZCIC0040

Vuln IDs

V-224732
V-44

Rule IDs

SV-224732r520300_rule
SV-7533

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26423r520298_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACID) - TSSCMDS.RPT(#STC) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the following items are in effect for each CICS region ACID. 1) A unique ACID is associated with the CICS region. 2) No access to interactive online facilities (e.g., TSO) other than CICS. 3) CICS region ACID does not have any BYPASS privilege. EXCEPT: NOSUBCHK - REQUIRED FOR CICS REGIONS TO SUBMIT BATCH PROCESSING/JOBS OF THE USER WHO IS LOGGED INTO CICS. 4) Ensure that each CICS region ACID is associated with a TSS CICS facility. For example: TSS ADD(CICS region ACID) MASTFAC(CICS facility) 5) CICS region is defined in the STC table. For example: TSS ADD(STC) PROCNAME(CICS region) ACID(CICS ACID) c) If (b) are true, this is not a finding. d) If (b) are untrue, this is a finding.

Fix: F-26411r520299_fix

Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required. Ensure the following items are in effect for each CICS region ACID: A unique ACID is associated with the CICS region. No access to interactive online facilities (e.g., TSO) other than CICS. CICS region ACID does not have any BYPASS privilege. CICS region ACID is associated with a TSS CICS facility (The IAO will determine the MASTFAC used) CICS region is defined in the STC table. For example: TSS ADD(STC) PROCNAME(CICS region) ACID(CICS ACID)

b

CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.

IA-2 - Medium - CCI-000764 - V-224733 - SV-224733r904350_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ZCIC0041

Vuln IDs

V-224733
V-7119

Rule IDs

SV-224733r904350_rule
SV-7537

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26424r904344_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following report produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(@ACIDS) - SENSITVE.RPT(WHOHOTRA) Refer to the information gathered from the CICS Systems Programmer's Worksheet filled out from previous vulnerability ZCIC0010. Ensure the following items are in effect for the CICS default ACID (i.e., DFLTUSER=default userid). If all of the following guidance is true, this is not a finding. 1) Not granted the TSS BYPASS privilege. 2) No access to interactive on-line facilities (e.g., TSO) other than CICS. 3) OPTIME parameter is set to 15 minutes. 4) A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM. The ISSM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 5) Restricted from accessing all data sets and resources with the following exceptions: (a) Non-restricted CICS transactions (e.g., CESF, CESN, 'good morning' transaction, etc.). (b) If applicable, resources necessary to operate in an intersystem communication (ISC) environment (i.e., LU6.1, LU6.2, and MRO). Note: Refer to the IBM CICS Transaction Server Resource Definition Guide for latest and most accurate definition for the Default CICS User. Note: Any exceptions to these guidelines must be approved by the site ISSO and documented in site security plan.

Fix: F-26412r868633_fix

Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required. Ensure the following items are in effect for the CICS default ACID (i.e., DFLTUSER=default userid): 1) Not granted the TSS BYPASS privilege. 2) No access to interactive on-line facilities (e.g., TSO) other than CICS. 3) OPTIME parameter is set to 15 minutes. can be increased up to 30 if justified by the ISSM. 4) Restricted from accessing all data sets and resources with the following exceptions: (a) Non-restricted CICS transactions (e.g., CESF, CESN, 'good morning' transaction, etc.). (b) If applicable, resources necessary to operate in an intersystem communication (ISC) environment (i.e., LU6.1, LU6.2, and MRO).

b

CICS logonid(s) must be configured with proper timeout and signon limits.

AC-11 - Medium - CCI-000057 - V-224734 - SV-224734r868636_rule

RMF Control

AC-11

Severity

Medium

CCI

CCI-000057

Version

ZCIC0042

Vuln IDs

V-224734
V-7120

Rule IDs

SV-224734r868636_rule
SV-7543

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26425r868635_chk

a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. NOTE: Note: Any ACID that does not have an OPTIME value specified will obtain its OPTIME value from the default value set in ZCIC0041. Any ACID that specifies an OPTIME value must meet the requirements specified below. b) For all ACIDs authorized to access a CICS facility if the OPTIME field set to 15 minutes, this is not a finding. NOTE: If the time-out limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, this is not a finding If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protection. A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM. The ISSM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. The ISSM may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: The time-out exception cannot exceed 60 minutes. A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). The requirement must be revalidated on an annual basis. c) If the SIGNMULTI keyword for ACIDs is restricted test and development use this is not a finding.

Fix: F-26413r520305_fix

Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required. Ensure that all ACIDs authorized to access a CICS facility have their OPTIME field set to 15 minutes. Ensure that all ACIDs authorized to access a CICS facility restrict SIGNMULTI to test and development use. Example: TSS ADDTO(acid) OPTIME(hhmm) TSS ADDTO(acid) FACILITY(facility) SIGNMULTI

b

IBM CICS Transaction Server SPI command resources must be properly defined and protected.

AC-4 - Medium - CCI-000035 - V-224735 - SV-224735r855162_rule

RMF Control

AC-4

Severity

Medium

CCI

CCI-000035

Version

ZCICT021

Vuln IDs

V-224735
V-17982

Rule IDs

SV-224735r855162_rule
SV-43227

IBM CICS Transaction Server can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to system programmers only in greater than read authority. Resources are also granted to certain non systems personnel with read only authority.

Checks: C-26426r520307_chk

Refer to the following report produced by the TSS Data Collection and Data Set and Resource Data Collection: SENSITVE.RPT(WHOHSPI) TSSCMDS.RPT(WHOOSPI) TSSCMDS.RPT(#RDT) Automated Analysis: Refer to the following report produced by the TSS Data Collection Checklist: - PDI (ZCIC0021) Ensure that all IBM CICS Transaction Server resources defined in the IBM CICS-RACF Security Guide are properly protected according to the requirements specified in CICS SPI Resources table in the site security plan, use CICS SPI Resources table in the zOS STIG Addendum as a guide. If the following guidance is true, this is not a finding. The TSS resources and/or generic equivalent as designated in the above table are owned or DEFPROT is specified for the resource class. The TSS resource access authorizations restrict access to the appropriate personnel as designated in the above table.

Fix: F-26414r520308_fix

Ensure that the IBM CICS Transaction Server command resources defined in the IBM CICS-RACF Security Guide access is in accordance with those outlined in CICS SPI Resources table in the site security plan use CICS SPI Resources table in the zOS STIG Addendum as a guide. These tables list the resources and access requirements for IBM CICS Transaction Server; ensure the following guidelines are followed: The TSS resources and/or generic equivalent as designated in the above table are owned or DEFPROT is specified for the resource class. The TSS resource access authorizations restrict access to the appropriate personnel as designated in the above table. The following commands are provided as a sample for implementing resource controls: TSS ADD(dept-acid) SPI(ASSOCIAT) TSS PERMIT(cicsaudt) SPI(ASSOCIAT) ACCESS(READ) TSS PERMIT(cicuaudt) SPI(ASSOCIAT) ACCESS(READ) TSS PERMIT(syscsaudt) SPI(ASSOCIAT) ACCESS(READ)

b

CICS userids are not defined and/or controlled in accordance with proper security requirements.

AC-3 - Medium - CCI-000213 - V-224736 - SV-224736r520312_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ZCICT041

Vuln IDs

V-224736
V-7121

Rule IDs

SV-224736r520312_rule
SV-7525

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26427r520310_chk

a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(WHOOPROP) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the CICS region is defined to the PROPCNTL resource class. c) If (b) are true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Fix: F-26415r520311_fix

Ensure the CICS region is defined to the PROPCNTL resource class. Example: TSS ADDTO(owning acid) PROPCNTL(CICS region acid)

b

Control options for the Top Secret CICS facilities must meet minimum requirements.

CM-6 - Medium - CCI-000366 - V-224737 - SV-224737r868639_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ZCICT050

Vuln IDs

V-224737
V-7555

Rule IDs

SV-224737r868639_rule
SV-8032

TSS CICS facilities define the security controls in effect for CICS regions. Failure to code the appropriate values could result in degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Checks: C-26428r868637_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values - TSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the following items are in effect for each CICS region's facility: 1) The TSS CICS facility is defined with the control option values specified in the TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION Table in the z/OS STIG Addendum . Note: An exception to the STIG is MRO CICS regions in production will use SIGN(M) appropriately. 2) XUSER=YES must be coded in each CICS facility. 3) CICS transactions defined in the BYPASS list are not sensitive transactions. c) If the items in (b) are true for all CICS region's facility, there is no finding. d) If any item in (b) is untrue for a CICS region's facility, this is a finding.

Fix: F-26416r868638_fix

Review the TSS control option values for all CICS facilities. Ensure the following items are in effect for each CICS region's facility: 1) The TSS CICS facility is defined with the control option values specified in table - "TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION" , in the zOS STIG Addendum. Note: An exception is MRO CICS regions in production will use SIGN(M) appropriately. 2) XUSER=YES must be coded in each CICS facility. 3) CICS transactions defined in the BYPASS list are not sensitive transactions.

z/OS IBM CICS Transaction Server for TSS Security Technical Implementation Guide

Compare

View

Checks: C-26420r520289_chk

Fix: F-26408r520290_fix

Generate Mitigation Statement:

Checks: C-26421r520292_chk

Fix: F-26409r520293_fix

Generate Mitigation Statement:

Checks: C-26422r868629_chk

Fix: F-26410r868630_fix

Generate Mitigation Statement:

Checks: C-26423r520298_chk

Fix: F-26411r520299_fix

Generate Mitigation Statement:

Checks: C-26424r904344_chk

Fix: F-26412r868633_fix

Generate Mitigation Statement:

Checks: C-26425r868635_chk

Fix: F-26413r520305_fix

Generate Mitigation Statement:

Checks: C-26426r520307_chk

Fix: F-26414r520308_fix

Generate Mitigation Statement:

Checks: C-26427r520310_chk

Fix: F-26415r520311_fix

Generate Mitigation Statement:

Checks: C-26428r868637_chk

Fix: F-26416r868638_fix

Generate Mitigation Statement: